99% of UK law firms at risk of email fraud

According to a recent study by OnDMARC, just one organisation out of the top 100 law firms in the UK has “sufficient measures in place to fully protect against email fraud”.

The first quarter of 2017 saw 45 cyber theft cases targeting UK law firms alone. In 2016 phishing attacks increased by 65%. These are very worrying findings and should serve as a warning to UK law firms to take action to protect their sensitive data.

With over 10,000 law firms operating in the UK, handling sensitive and hugely confidential commercial and private data, there is a real opportunity for scammers to target the legal sector.

The large volume of confidential information held by law firms makes them a target for cyber criminals.

She continued:

Many law firms either don’t understand the risk or assume that their existing email systems will do the job of protecting them, even though our study very quickly demonstrated that it’s all too easy for a criminal to exploit these firms’ email domains in order to impersonate the company and send out fraudulent messages to external clients and stakeholders.

A more worrying revelation from the study is that firms believed “their existing IT security solutions would cover their organisation against sender fraud”.

Sender fraud allows attackers to impersonate and exploit email domains in order to deploy fraudulent emails to customers.

Dr Rois Ni Thuama concluded:

We’re usually quick to blame human users as the most insecure element of the cyber security chain, but in the case of email spoofing, it’s the basic email systems that are being duped, which is a big reason why legal firms have experienced losses, mainly via phishing, of over £3 million in just three months.

Phishing attacks are on the increase, and these findings reiterate the importance of training staff.

How to protect your organisation from phishing attacks

Our Phishing Staff Awareness Course gives your staff an introduction to understanding and spotting phishing scams, and helps reduce the chance that an employee will hand over confidential information or inadvertently infect your organisation’s systems. The course helps employees identify phishing attacks, explains what would happen should they fall victim and shows them how they can mitigate the threat of an attack.